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From frank@funcom.com Tue Nov 9 13:24-21 1999 
Dace: Sat, 30 Oct 1999 20:40:25 +0200 (CEST) 
From: Frank Andrew Stevenson < f rank@f uncom. com> 
To: Hvid-dev@livid.on.soenprojects.net 
Subject: [Livid-dev] Wording attack on DiskKey Hash 



Through private communication with list readers, I was more 
or less challenged... , 0r so it felt t0 me , Tq £ a more 
attack whereby the encrypted (temporary) diskkey can be 
retrieved from the hash found at the start of the Disk 
key data block. 

SJttll 1 i ! C ? med t0 me th3C 1Z rec ?uired * workload of 2*40. 

« .JJ! I » . SeCm in the Way for s P««ding up such 

■ f 2^ =areful SCudy of the structure m the 
mangling cipher and the CSS I have now come up with the 
following attack. 

Guess che initals state of LFSRI , and B[0] - the first byte 

poi;? e kror n 3 na S B a r ° f /- nC m K ngURg =1Fher - Fr0m Chis 
point k[0] ana B[4, , first byte cf mangling key, and fifth 

chit if ItTftTV bC f ° Und - N ° W <=anbe found 

111 ntrJA^ £t Sr?r' *" man * lin S *ey. Through a table 

all permissible k[l] second mangling keys can be found. 

f^"^\ ma ^ lin< ? key is the output of the ordinary CSS cipher 
LFSRls output is completely known. We have also just found byte' 
1,2,3 Of the CSS cipher output. This gives us 2 possibilities 
of 1,2,5 byte output from LFSR2 . Luckily there is a 1 <-> i 
mapping of these bytes and the initial state. 

So through a table with 2~24 entries the initial state of 

"out 256 tl«it Un t' By n ° W com P ieCir ^ the mangle cipher 
: ° U a 5 LFSR2 startstates will emerge as a candidate, 
12 = he = ked the slow) way. There will 'only' 

oe 2 17 such checks so performance is not a concern. 

The whole attack has a complexity of 2*24 (mayby 25), with 
a memory requirnement of 64MB. Dr. a PIII/450 it will recover 
a set of possible keys ir. less than in 20 seconds rCCOver 

Sample run on 2 00MHz R4C:0 (?) 
odm:-> time ./unhash fb 91 2 6 01 fe 

CSS hash finder - gobbles memory ( 64 MB RAM ) Good luck 

Searching for hash: fb 81 26 Ci fe 
Initializing k[l] lookup table 
Initializing and clearing 64MB of RAM 

-!.!^!! lng big cable * Wait - thls takes cim « 

ft«#»**f#«#««*###«####»#s##««#iii 

Table mit completed, now reversing hash 

Possible tmp key 21 5b 21 89 32 

Possiole tmp key 3f 9d fa de f2 

Possiole tmp key 53 4d *e 9^ "e 

U4.602U 1.595s 1:59.12 r'.^ 5 + 0k Q+Oia 0pf + 0w 

This recovers 3 possible keys for the given hash, 
i oelieve the wrong ones are easy to eliminate 
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by crying to decode the datastreams. ( It cakes 
almost 2 minutes on this CPU, but at least it runs 
on bigendians as well ) 

frank 



Fully functlonal DiskKey Hash cracker 

begin 640 unhash.c.Z 

MCF'36,: + 90P\VCW##Q#@C(L QQH L»l*l*lX i = » H QHMAL%(?& 

M8C-\ # "QW9G ' G ! GMAD%< & «V%P%P9 f q irnnlrA *A#A3«4 . . B ! H0X4R5iC# 

MVEJSOO:PL2UM 2- • V\r*P* ^7- J5JVR_; 2~Q>M<, <L8H585K) W-ZE8 [ 

M H W»C]$VC 85-<CS 7V.ir- xafv; a 22: (NZ#J " [ SL4MQSQ/ 4#0E*+L4) 
M«67. pqo FV^ZB^ w; "M Y98H9! ;f ' XSP, -K/8X0UI $ $I,; T (--I1A 
MV-^.A-^j^rvss^J^^**; 3T'MKI»I!#C?^0riVP08>MT(SK 



M9P (WX ' \SX ($SH (RL* (XT * +AYW\UT* , P< ' YF\ " 9Rp ( % NW * -IP * UB I Iff 
MEP-R0W\-N'NMLP7-UP5>((07M7T#F^T)P,> 4 -;" ! rlL* ?! ! I'*** 

MS!7C!XBFY8A1V,X<'Y] ^2 VR *4 ?!E, ( ?J ' KS(9 ' V ' Y * 

M-51T7ZWT6T: (M'S^LO^F N^' 7SZ ' 7 » 2 ^Lo« ? ( 

M.(W46(W6>(TJH-#»IXTJ ! 5He. l^irJS-'St'IS?^ , 2J!! 2 

MV09ET " 9c ' ' sYfli i vr I bq • -? " ] Y - 3 5 ^Q J " S (7VNTXCK* : CO ! P>PZ*CK 

MD)HP8-CKZ8UEJA'$:088*0(e- : 5O ; <, S ?In?SiffI JRT ' SRR ' H$1 
ML*[MRJY<X-8B-OH:-]08-\ V ! '.fi !2^SiI2 °f! 01 ; H *Q/ JFJX8 

MF[0lfiZ-S.057,y%»P3I)»(J)oX)@XJr fP- f V» r?, t!T« !J ( * I2;(G 

MJ[)S~02;6;-2BQ'S>f/ZB*5C- 4a P ' ' ^ C ' * (2 ( JG ^"P1«V[ $EF [ OH 
MUWZV>K1E- nSfiSi-Y-S v*'r'~ I I' ° >6VA 1 BN( * 3 *« — K3I ] WS ( 

M60)MB0-I»<\@ Ml'M«f«?KiK« • I:0/4V KJPG*W;6@7OF-lX 
M r_ >ia -- M , ' <B 9M4 <3MI\BOC*TZO:W#V»8PH0»">»< I 

mfi- M -.Ho.«.i5ivx i n;,j \ %n*T- -c i^iSilSSil!!: 1 2 - ce 

MO . , sW; HW f ; T»joj AlMrruv ,k „» /^iiw . j./ lu.Xi: ZxD - 3 

M'M6->04S2P<-C/'8'0- '»] „!! „*' * JT2 ™-----83P. :)VS"1"NK 



M> ( A : * . : + [VNHP : HNH83K+WW; ,viV^S' V Jll J ! F -° X5H WYY9 J) 6% 

MC8 "KG] \W7 • 8B#/AT*80%@9 - ^ c r I 'I , * G03 ~ S ^"BFIKO#0+Q/>V£ 
MHY#NZWL, T%<8* ■ H ( ] 5S4 ) Crj#FTF » 207?^ Ul?Z '* ™K2*>^ - r$D , #e • 
M:>BlNZ(W^-*<o<MO-4--«.r T r 1 4 U: -*KE.TNC528 S*lPrL 

MUMfH'U6#;SKP%UDU 4 V%Sjp G ' ^pf^Hn ?" 5 ?$A ^ N26 ( ^ # ' # • 

M5:>UZA:.\T8l;9.2PBW8^.a( J1 opV\„^" U " (02 °9l;:TMLZ>-CA:D4N 
M> ( 85 [E] E03BP !-T ' S4-D28G' R L^l^ra^'' * UK ' * 3 <$?OA5#l . C ' B $6 
^)WNV(2CSID9ePAR;$Z(!94?M?i?? ^203 . R%6X (R; 8 4 '7r5"2\ " 
M*UQ>!2XU4;HP9PmTrt,: v -!fi f A7Z/+C6QQF0*F-B »W>? fNlL7 iv- 
MS25U=,PR 4 i^ 7 9 9 P ^ + ? 2 ^ -„ "^'^n^' 7,4 ^ 3 ^^ 2 ' 1 VVEY 

M ) ) $ ) 0?W, M A 9PXD ( "B/mds vFv tv» - E P'A4D2*KT ) ] 40 ( ft : » • / H 9 .?*}£ 

MCP (M0I»8NKP<89)- Y '- tXDOK-, 1/S7,, * T «W (TGWH>10" I "Brvr 

MM • 2 :_0 !5 , W) J^i» i ^SM!Sr2i^* > ' , »^/ •M.XM 
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end 



This sentence is unioue th 



livid-dev maiilisc - — T • ^ 

http://Uvxd.on; openpro^^rnec/i^^' ? ; °P en P«^=ts . net 

:e-ts . net/mailman/Uscmfo/Uvid-dev 
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